{"slug": "atheon-atheon-is-a-community-driven-pattern-matching-engine", "title": "Atheon -Atheon is a community-driven pattern matching engine", "summary": "Atheon, a community-driven pattern matching engine, launched as a CLI tool that scans any input for user-defined patterns, returning true or false for each rule. It can be used as a pre-commit hook, MCP server, or in CI pipelines to block sensitive data like leaked credentials or API keys before they leave the machine. The project aims to build a shared library of patterns contributed by the community.", "body_md": "One tool. All patterns. Any input.\n\nAtheon is a community-driven pattern matching engine. You define what you're looking for. You point it at anything. It finds every match and tells you exactly where returning a clear `true`\n\nor `false`\n\nfor every rule, every time.\n\nAtheon is a CLI tool built around a single idea: **any pattern, any domain, any input.** It doesn't care whether you're scanning for leaked credentials, patient identifiers, financial account numbers, prohibited strings in compliance-scoped code, or anything else you can describe as a rule. If the pattern is clear if it can return true or false Atheon runs it.\n\nThe engine itself is deliberately minimal. It has no opinions about what matters. That knowledge lives in the patterns, and the patterns come from the community.\n\n**Three ways people use Atheon:**\n\n**Pre-commit / pre-push hook**— blocks bad commits before they leave the machine. Exit code`1`\n\non any finding, which is all a hook needs to abort.**MCP server**—`atheon-mcp`\n\nspeaks the Model Context Protocol. Wire it into Claude, Cursor, or Windsurf and the AI can scan code mid-generation, before it ever reaches a file.**CI pipeline**— drop`atheon --categories=secrets .`\n\ninto any pipeline. Native binary, no runtime, no dependencies, runs in milliseconds regardless of pattern count.\n\nAtheon isn't trying to be the next big secrets scanner. It's not competing to become a giant. It's trying to be a **platform**.\n\nHere's the idea: a developer on a team is working with sensitive data. They write a pattern for Atheon, contribute it, and it ships in the next release. Now everyone using Atheon has that pattern registered. The next team in a similar situation doesn't have to build it from scratch it's already there.\n\nThat's Atheon: a community-driven engine where you, me, and anyone else can add patterns that every user benefits from. The goal is a library of rules that covers every domain where text contains something that matters built not by one company, but by everyone who uses it.\n\n**Security. Compliance. Finance. Healthcare. Legal. Operations. Gaming. Anything.**\n\nIf you can describe the rule, Atheon can run it.\n\nSkip to **9:36** for the live demo, or watch the whole thing to see what Atheon is about.\n\nA developer wraps up a sprint and pushes a configuration file. Buried in a comment from a debugging session three weeks ago is a production API key. The commit goes through. The pipeline passes. Two months later, someone notices unusual billing activity.\n\nAtheon, wired into a pre-push hook:\n\n``` bash\n$ atheon ./\n\nopenai-api-key config/app.yaml:47\n # de****4f59\n\n1 finding(s)\nscanned 23 file(s) 41.3 KB 4ms\n```\n\nExit code `1`\n\n. The push never happens. The key never leaves the machine.\n\nThat's it. That's the product.\n\n**Homebrew (macOS / Linux):**\n\n```\nbrew tap HoraDomu/atheon\nbrew install atheon\n```\n\n**Scoop (Windows):**\n\n```\nscoop bucket add atheon https://github.com/HoraDomu/scoop-atheon\nscoop install atheon\n```\n\n**Manual:** Download the binary for your platform from [Releases](https://github.com/HoraDomu/Atheon/releases/latest). No install, no runtime, no dependencies. Drop it in your PATH and run it.\n\n**Build from source:**\n\n```\ngo build -o atheon .\natheon scan a directory or file\natheon --file scan a single file explicitly\natheon --env scan all environment variables\natheon --json output findings as JSON\natheon --categories= scan specific pattern categories only\natheon --all include disabled patterns in scan\natheon list list all patterns with enabled/disabled status\natheon list --enabled list only enabled patterns\natheon list --disabled list only disabled patterns\natheon list --category= list patterns for a specific category\natheon list categories list available category names\natheon enable enable a pattern by name\natheon disable disable a pattern by name\natheon update download the latest patterns bundle\natheon --version show version\natheon --help show help\n```\n\nPipe support — pass `-`\n\n(or `--stdin`\n\n) to read from stdin:\n\n```\ncat file.txt | atheon -\ngit diff | atheon -\ngit diff | atheon --stdin\n```\n\nExit code `0`\n\n= clean. Exit code `1`\n\n= findings. CI-friendly by default.\n\n**Category filtering**\n\nPatterns are organized into categories. Run only what you need:\n\n```\natheon --categories=secrets .\natheon --categories=secrets,pii .\natheon list categories\natheon list --category=secrets\n```\n\nThis keeps scans fast regardless of how many patterns are in the bundle. A pre-commit hook scanning only `secrets`\n\ncosts nothing for PII patterns you don't need in that context.\n\n**Cross-platform:** native binaries for Windows, macOS (Intel + Apple Silicon), and Linux. No runtime, no dependencies.\n\n**Ignore rules**\n\nDirectory scans automatically respect `.gitignore`\n\n. Drop a `.atheonignore`\n\nin your project root to exclude anything not already covered — test fixtures, generated files, `.env`\n\nfiles:\n\n```\n# .atheonignore\ntest/\n*.generated.go\n.env\n\n# negation — ignore all of dist/ except this one file\ndist/\n!dist/keep.yaml\n\n# character class negation — exclude files not ending in .go or .yaml\n[!a-z]*.txt\n```\n\nFull gitignore syntax is supported including `**`\n\n, `!`\n\nnegation rules, and `[!...]`\n\ncharacter class negation.\n\n**JSON output with flags**\n\n`--json`\n\nmust be the first flag. It can precede any scan command:\n\n```\natheon --json ./\natheon --json --file config.yaml\natheon --json --env\natheon --json --categories=secrets ./\n```\n\nTo suppress a single line without ignoring the whole file, add `atheon:ignore`\n\nanywhere on that line:\n\n```\nDEBUG_KEY=sk-fake-key-for-testing # atheon:ignore\n```\n\n**JSON output**\n\nUse `--json`\n\nto integrate with other tools or build your own pipeline on top:\n\n```\natheon --json ./\n```\n\nOutput is a JSON array, one object per finding:\n\n```\n[{\"pattern\":\"openai-api-key\",\"file\":\"config/app.yaml\",\"line\":47,\"match\":\"# debug key: sk-...\"}]\n```\n\n**Environment scanning**\n\n`--env`\n\nscans every variable in the current environment useful in CI to catch patterns injected at runtime rather than stored in files:\n\n```\natheon --env\n```\n\n**Pre-commit / pre-push hook**\n\nDrop Atheon into a git hook to block bad commits before they leave the machine:\n\n``` bash\n# .git/hooks/pre-push\n#!/bin/sh\natheon ./\n```\n\nOr with category filtering for speed:\n\n``` bash\n#!/bin/sh\natheon --categories=secrets ./\n```\n\nWire it into whatever hook runner you already use (pre-commit, Husky, Lefthook). Atheon returns exit code `1`\n\non any finding, which is all a hook needs to abort.\n\n**MCP server**\n\nAtheon ships a separate `atheon-mcp`\n\nbinary that speaks the Model Context Protocol over stdio. Drop it into any MCP-compatible AI tool to let the assistant scan code, files, and directories for pattern matches.\n\n**Download releases:**\n\n- Linux:\n`atheon-mcp-linux-amd64`\n\nor`atheon-mcp-linux-arm64`\n\n- macOS:\n`atheon-mcp-darwin-amd64`\n\nor`atheon-mcp-darwin-arm64`\n\n- Windows:\n`atheon-mcp-windows-amd64.exe`\n\n**Homebrew:**\n\n```\nbrew tap HoraDomu/atheon\nbrew install atheon\n# Installs both atheon and atheon-mcp\n```\n\n**Scoop (Windows):**\n\n```\nscoop bucket add atheon https://github.com/HoraDomu/scoop-atheon\nscoop install atheon\n# Includes both atheon and atheon-mcp\n```\n\n**Build from source:**\n\n```\ngo build -o atheon-mcp ./cmd/mcp\n```\n\n**Claude Code:**\n\n```\n{\n \"mcpServers\": {\n \"atheon\": {\n \"command\": \"/path/to/atheon-mcp\"\n }\n }\n}\n```\n\n**Cursor:**\n\n```\n{\n \"mcpServers\": {\n \"atheon\": {\n \"command\": \"atheon-mcp\",\n \"args\": []\n }\n }\n}\n```\n\n**Windsurf:**\n\n```\n{\n \"mcpServers\": {\n \"atheon\": {\n \"command\": \"/usr/local/bin/atheon-mcp\"\n }\n }\n}\n```\n\n** scan_string** - Scan text content for patterns:\n\n```\n{\n \"name\": \"scan_string\",\n \"arguments\": {\n \"content\": \"API_KEY=sk-1234567890abcdef\",\n \"source\": \"environment\",\n \"categories\": [\"secrets\"]\n }\n}\n```\n\n** scan_file** - Scan a single file:\n\n```\n{\n \"name\": \"scan_file\",\n \"arguments\": {\n \"path\": \"/path/to/config.yaml\",\n \"categories\": [\"secrets\", \"pii\"]\n }\n}\n```\n\n** scan_dir** - Scan entire directories:\n\n```\n{\n \"name\": \"scan_dir\",\n \"arguments\": {\n \"path\": \"/path/to/project\",\n \"categories\": [\"secrets\", \"pii\", \"code-quality\"]\n }\n}\n```\n\n**Claude Code Example:**\n\n```\nUser: \"Can you scan the current directory for security issues?\"\nAssistant: [Uses scan_dir tool] \"I found 3 security issues in your codebase...\"\n```\n\n**Cursor Example:**\n\n```\nUser: \"@Atheon scan this file\"\nAssistant: [Uses scan_file tool] \"Found 2 patterns in config.yaml...\"\n```\n\nAvailable categories for filtering:\n\n`secrets`\n\n- API keys, tokens, credentials`pii`\n\n- Personal information (SSN, credit cards, etc.)`code-quality`\n\n- Debug statements, TODOs, technical debt`healthcare`\n\n- Medical identifiers, PHI patterns`finance`\n\n- IBAN, ABA routing numbers, SWIFT/BIC codes\n\nOmit the `categories`\n\nparameter to scan all categories.\n\nAll patterns live in `community/`\n\nas plain YAML files — no Go required. The engine ships with a compiled bundle embedded in the binary. Run `atheon update`\n\nto pull the latest bundle from the release. The update command reports exactly what changed — which patterns were added or removed.\n\nAdding a new pattern is one file:\n\n```\n# community/secrets/my-service.yaml\nname: my-service-api-key\nmatch: '\\bmsvc_[A-Za-z0-9]{32}\\b'\nenabled: false # optional — omit to default to true\n```\n\nFields:\n\n`name`\n\n— unique lowercase-hyphenated identifier. Be specific:`stripe-live-key`\n\n, not`stripe`\n\n.`match`\n\n— a valid RE2 regex. Use single quotes so backslashes don't need escaping.`enabled`\n\n— optional. Defaults to`true`\n\n. Set to`false`\n\nto ship the pattern disabled-by-default (useful for high-false-positive patterns users can opt into).\n\nThe folder name is the category. No engine changes, no recompile, no release gate.\n\n**Pattern state**\n\n`atheon enable`\n\nand `atheon disable`\n\nwrite state to `~/.atheon/pattern_state.json`\n\n. The state survives binary updates and `atheon update`\n\n— your enabled/disabled preferences are reapplied on top of each new bundle automatically.\n\n```\natheon enable stripe-live-key\natheon disable console-log\natheon list --enabled\natheon list --disabled\n```\n\nPatterns are the heart of Atheon. Every pattern is one YAML file — small, fast to review, and immediately useful to every user once merged.\n\nSee [CONTRIBUTING.md](/HoraDomu/Atheon/blob/main/CONTRIBUTING.md) to add your own. See [ROADMAP.md](/HoraDomu/Atheon/blob/main/ROADMAP.md) for what categories and domains need patterns most.\n\nNew versions ship on the **10th and 21st of every month**. Releases are fully automated tagging a version builds all platform binaries, generates the patterns bundle, and publishes everything to GitHub Releases, Homebrew, and Scoop automatically.\n\nLatest release: [github.com/HoraDomu/Atheon/releases/latest](https://github.com/HoraDomu/Atheon/releases/latest)\n\nAtheon is built by the community. Every pattern contributed ships to every user in the next release. See everyone who has helped make it here: [CONTRIBUTORS.md](/HoraDomu/Atheon/blob/main/CONTRIBUTORS.md)\n\nQuestions, pattern requests, or anything else:\n\n**Email:** [dommcpro@gmail.com](mailto:dommcpro@gmail.com)\n\nMIT with Additional Terms Copyright © 2026 Dominick Yanez\n\nYou are free to fork, clone, study, modify for personal or internal use, and contribute patterns or bug fixes back. That's encouraged.\n\nWhat you may not do:\n\n- Ship this software, or any derivative of it, as your own standalone product under a different name or brand\n- Remove or obscure the author's name or copyright notice from any copy, fork, or derivative work\n\nFor permissions beyond this scope: [dommcpro@gmail.com](mailto:dommcpro@gmail.com)\n\nSee the full [LICENSE](/HoraDomu/Atheon/blob/main/LICENSE) file for complete terms.", "url": "https://wpnews.pro/news/atheon-atheon-is-a-community-driven-pattern-matching-engine", "canonical_source": "https://github.com/HoraDomu/Atheon", "published_at": "2026-06-20 03:35:02+00:00", "updated_at": "2026-06-20 04:07:43.185652+00:00", "lang": "en", "topics": ["developer-tools", "ai-safety", "ai-tools"], "entities": ["Atheon", "HoraDomu", "Claude", "Cursor", "Windsurf"], "alternates": {"html": "https://wpnews.pro/news/atheon-atheon-is-a-community-driven-pattern-matching-engine", "markdown": "https://wpnews.pro/news/atheon-atheon-is-a-community-driven-pattern-matching-engine.md", "text": "https://wpnews.pro/news/atheon-atheon-is-a-community-driven-pattern-matching-engine.txt", "jsonld": "https://wpnews.pro/news/atheon-atheon-is-a-community-driven-pattern-matching-engine.jsonld"}}